Execution Environment Service (EES)

FUNCTIONAL DESCRIPTION
The EES is a pluggable, configurable authorisation service similar to the Site
Central Authorisation Service (SCAS).
The role of the EES is to ensure that an appropriate site-specific execution
environment is procured based on the site-agnostic obligations and attributes it
receives as input in the form of SAML2-XACML2 requests. It runs as a standalone
service, typically responding to requests from a Policy Enforcement Point (PEP)
which have been augmented with information from a Policy Decision Point (PDP).

From the outside, the EES can be viewed as an obligation transformer; for
example it can be used to transform a site-agnostic obligation for a local
account mapping to a site-specific obligation for on-demand virtual machine
deployment.

To integrate the EES with an existing Argus installation, a separate component
called the EES Obligation Handler should be configured in the PEP daemon. For
more details regarding integration in Argus, please see the documentation for
this component.
The EES itself ships with a pre-configured transformer plug-in which extracts
PDP data from the SAML2-XACML2 environment attributes. This plug-in is not
required when PDP data is not transmitted to the EES.

DAEMONS RUNNING
${prefix}/sbin/ees

INIT SCRIPTS AND OPTIONS (start|stop|condrestart|restart|reload|status)
${prefix}/etc/init.d/ees

CONFIGURATION FILES WITH EXAMPLE OR TEMPLATE
The EES is designed to be highly customizable.
Its configuration model allows policies to be expressed as state machines in the
Policy Description Language (PDL), whose branches end in pre-configured plug-in
instances.
A small example as well as an ees.conf manpage are provided.
${prefix}/etc/ees.conf

LOGFILE LOCATIONS (AND MANAGEMENT) AND OTHER USEFUL AUDIT INFORMATION
Syslog available: yes
Log file configurable: yes
Loglevels and syslog facility are also configurable

OPEN PORTS
6217

POSSIBLE UNIT TEST OF THE SERVICE
high-level test scripts (test_ees.sh and test_ees_with_curl.sh) is available.

WHERE IS SERVICE STATE HELD
The EES uses plug-ins to connect to various other middleware. The configuration
file for the EES defines the plug-ins used, as well as any dependant
configuration files.

An integral part of the EES is the Attribute and Obligations Store (AOS), which
is a component that allows plug-ins to query the (transient) SAML2-XACML2 data
received. This object store is exposed through a simple API. This data can
logged, but the intermediate state is not saved.

CRON JOBS
None.

SECURITY INFORMATION
As the EES currently only uses plain HTTP, it should run firewalled from the
rest of the network, only allowing the Argus PEPd access.

ACCESS CONTROL MECHANISM DESCRIPTION (AUTHENTICATION & AUTHORIZATION)
Mandated by plug-in and network configuration.

HOW TO BLOCK / BAN A USER
Through Argus.

NETWORK USAGE
Exposes a SOAP service that transforms SAML2-XACML2 requests.

FIREWALL CONFIGURATION
The EES currently has no support for TLS connections.
System administrators should configure the EES host to only allow access to the
EES from the PEPd host.

SECURITY RECOMMENDATIONS

SECURITY INCOMPATIBILITIES

LIST OF EXTERNAL PACKAGES
SAML2-XACML2-C-LIB

OTHER SECURITY RELEVANT COMMENTS

UTILITY SCRIPTS

LOCATION OF REFERENCE INFORMATION FOR USERS
Argus documentation

LOCATION OF REFERENCE INFORMATION FOR ADMINISTRATORS
https://wiki.nikhef.nl/grid/EES

